What consent should include according to GDPR

In this article, we take a closer look at how to formulate proper consent according to GDPR. Paloma’s CEO, Peter Berg, guides us in the GDPR jungle. Come join us!

For consent to be considered valid, the new data protection regulation, GDPR, sets some requirements for how it should be formulated. What information must the data subject be provided with before he or she consents and what are the requirements?

Answer: Above all, the consent must be voluntary and informed. To be valid, the consent must be manifest on the part of the data subject if he or she approves the processing of personal data regarding him or her. The approval may be written, electronic or verbal.

What does ‘voluntary’ mean in this context?

Answer: You must give the data subject a clear and concise opportunity to opt out of the consent. If the consent is not voluntary, it is invalid. It is partly due to this that pre-filled out boxes and similar solutions are no longer allowed.

How should consent be formulated, according to GDPR?

Answer: The consent must be clearly specified. You must hence provide clear and concise information about what the processing entails and for what purpose you and your company will use the personal data. Are there several purposes? Yes, and you have to specify each and every purpose.

Every company, organisation, industry or similar that saves or in any way manages personal information about their employees or customers must also identify themselves to the data subject before the data subject consents. What information do I have to provide when I request consent?

Does GDPR have any other requirements for accurate consent?

Answer: Yes, you must also inform the data subject about any other parties that will have access to their personal data. Furthermore, you must state when the consent ceases to apply and how the data subject goes about withdrawing their consent.

Bullet points of how to formulate accurate consent and what information you must include:

1) Your purpose(s) for processing the data subject’s data.

2) What personal data you will process if consent is obtained.

3) Your and your company’s contact details and the names of any other recipients of the personal data.

4)The contact details of the data protection officer, if your company has appointed one.

5) Information about your obligation to disclose the personal data about the data subject when he or she requests this.

6) Information about the data subject’s right to request and obtain correction of his or her personal data.

7) Information about the data subject’s right to withdraw his or her consent and how he or she goes about doing that.

8) Information about the data subject’s right to be forgotten and how he or she goes about accomplishing that.

9) What protection measures are in place and how the data subject can obtain a copy of them or information of where they can be read, in the event that you, your company or other recipients of the personal data intend to disclose them to someone outside the EU.